clarifying section 11.2 in draft 11 for HTML discovery?
Peter Watkins
peterw at tux.org
Thu May 24 15:19:23 UTC 2007
Section 11.2 states
"If the Claimed Identifier was not present in the request ("openid.identity" was "http://specs.openid.net/auth/2.0/identifier_select"), the Relying Party MUST perform discovery on the Claimed Identifier in the response to make sure that the OP is authorized to make assertions about the Claimed Identifier."
It then goes on to illustrate how an XRDS document could be constucted
for verifying an OP's authority in such a post-assertion discovery
process. It would seem logical that HTML discovery should be an option
here, and that a confirming HTML document would include the usual LINK
elements. For instance, if the OP Endpoint URL was https://id.plumbers.co/
and the identifier in the assertion was https://id.plumbers.co/users/1234
then HTML discovery for 11.2 would work by requesting the URL
https://id.plumbers.co/users/1234 and verfiying that its HREF for
openid2.provider was "https://id.plumbers.co/" and the HREF for
openid2.local_id was "https://id.plumbers.co/users/1234".
But as it stands, only XRDS (XRI/Yadis?) post-assertion discovery is discussed.
Shouldn't the spec clarify what is required for an HTML discovery to
uphold an assertion that triggers 11.2's discovery process?
-Peter
More information about the specs
mailing list